Remote Login Service stores servers from previous user
Bug #1070896 reported by
Ted Gould
This bug affects 1 person
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
Remote Login Service |
Fix Released
|
High
|
Unassigned | ||
remote-login-service (Ubuntu) |
Fix Released
|
High
|
Unassigned | ||
Quantal |
Fix Released
|
High
|
Marc Deslauriers | ||
Raring |
Fix Released
|
High
|
Unassigned |
Bug Description
If a user logs into RLS and gets the servers, and then another user logs in, instead of deleting the previous users the rls service returns both sets of servers.
This is a security bug, but an unlikely one. It would require the user logging into RLS, then walking away from the machine without using the results. And then someone coming and logging into the same machine.
Related branches
lp:~aacid/remote-login-service/free_subservers_on_new_call
- Ted Gould (community): Approve
- PS Jenkins bot: Pending (continuous-integration) requested
-
Diff: 31 lines (+7/-0)2 files modifiedsrc/uccs-server.c (+4/-0)
tests/dbus-interface.c (+3/-0)
lp:~ted/remote-login-service/ubuntu-cve
- Ubuntu Desktop: Pending requested
-
Diff: 57 lines (+39/-0)3 files modifieddebian/changelog (+6/-0)
debian/patches/01_clear_servers.patch (+32/-0)
debian/patches/series (+1/-0)
CVE References
Changed in remote-login-service: | |
status: | In Progress → Fix Committed |
Changed in remote-login-service (Ubuntu): | |
status: | New → Confirmed |
Changed in remote-login-service: | |
importance: | Undecided → High |
Changed in remote-login-service (Ubuntu): | |
importance: | Undecided → High |
information type: | Public → Public Security |
Changed in remote-login-service (Ubuntu Quantal): | |
status: | New → Confirmed |
importance: | Undecided → High |
assignee: | nobody → Marc Deslauriers (mdeslaur) |
Changed in remote-login-service: | |
status: | Fix Committed → Fix Released |
To post a comment you must log in.
This bug was fixed in the package remote- login-service - 1.0.0-0ubuntu1.1
--------------- login-service (1.0.0-0ubuntu1.1) quantal-security; urgency=low
remote-
* SECURITY UPDATE: credentials disclosure via second login (LP: #1070896) patches/ 01_clear_ servers. patch: Clear servers on second login interface. c.
- debian/
in src/uccs-server.c, add test to tests/dbus-
- CVE-2012-0959
-- Marc Deslauriers <email address hidden> Mon, 05 Nov 2012 14:05:14 -0500